Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-69796

User enumeration through the groupuserpicker api resource - CVE-2019-8449

XMLWordPrintable

      Issue summary

      The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.

      Workaround

      If upgrading Jira to 8.4.0 is not an option for now, then a temporary workaround consists in blocking this API endpoint on the Tomcat side by forcing it to return a 403 error.

      The steps are:

      1. Add to the file <jira-installation-directory>/atlassian-jira/WEB-INF/urlrewrite.xml the rule below, which will return a 403 error whenever someone who is not authenticated via Cookie (IE, normal browser access, or cookie based API calls) calls /rest/api/latest/groupuserpicker: 
            <rule>
     	<condition type="session-attribute" name="seraph_defaultauthenticator_user" operator="notequal">.+</condition>
     	<from>^(?s)/rest/api/.*/groupuserpicker</from>
     	<set type="status">403</set>
        	<to>null</to>
    </rule>
      1. Re-start Jira

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              16 Start watching this issue

                Created:
                Updated:
                Resolved: